Ecole d'ingénieur et centre de recherche en Sciences du numérique

DISCLOSURE: Detecting botnet command and control servers through large-scale netflow analysis

Bilge, Leyla; Balzarotti, Davide; Robertson, William; Kirda, Engin; Kruegel, Christopher

ACSAC 2012, 28th Annual Computer Security Applications Conference, December 3-7, 2012, Orlando, Florida, USA

Botnets continue to be a significant problem on the Internet. Accordingly, a great deal of research has focused on methods for detecting and mitigating the effects of botnets. Two of the primary factors preventing the development of effective large-scale, wide-area botnet detection systems are seemingly contradictory. On the one hand, technical and administrative restrictions result in a general unavailability of raw network data that would facilitate botnet detection on a large scale. On the other hand, were this data available, real-time processing at that scale would be a formidable challenge. In contrast to raw network data, NetFlow data is widely available. However, NetFlow data imposes several challenges for performing accurate botnet detection. In this paper, we present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. Finally, we provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.

Document Doi Bibtex

Titre:DISCLOSURE: Detecting botnet command and control servers through large-scale netflow analysis
Type:Conférence
Langue:English
Ville:Orlando
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:3886
Copyright: © ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACSAC 2012, 28th Annual Computer Security Applications Conference, December 3-7, 2012, Orlando, Florida, USA http://dx.doi.org/10.1145/2420950.2420969
Bibtex: @inproceedings{EURECOM+3886, doi = {http://dx.doi.org/10.1145/2420950.2420969 }, year = {2012}, title = {{DISCLOSURE}: {D}etecting botnet command and control servers through large-scale netflow analysis}, author = {{B}ilge, {L}eyla and {B}alzarotti, {D}avide and {R}obertson, {W}illiam and {K}irda, {E}ngin and {K}ruegel, {C}hristopher }, booktitle = {{ACSAC} 2012, 28th {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference, {D}ecember 3-7, 2012, {O}rlando, {F}lorida, {USA}}, address = {{O}rlando, {\'{E}}{TATS}-{UNIS}}, month = {12}, url = {http://www.eurecom.fr/publication/3886} }
Voir aussi: